Skip to main content

Prerequisites

Please ensure the following requirements are met

  • FortiGate with FortOS v7.2.8 Special Build 9127 and newer that incorporates the Securosys PKCS#11 Provider (v2.2.4 and newer)
  • Securosys Hardware Security Module, with PKCS#11 API enabled:

HSM Setup and Configuration

Securosys CloudHSM allows almost instant HSM operation by selecting and contracting the different services and options for your FortiGate.

The HSM must be initialized, and a specific user (partition) must be set up.

Verify that

  • the PKCS#11 API is licensed and enabled, and the PKCS#11 password is defined
  • a fresh valid user setup password is retrieved for client onboarding
  • the Security Policy is restricted (disable Import/Export/Extract)

Enable PKCS#11 API

The API must be enabled on device and user level.

  • Setup Configuration Security Device Security Crypto Policy PKCS#11: enabled
  • Setup Configuration Security User Security (user name) PKCS#11: enabled

Set PKCS#11 Password

Assuming that user level configuration is used.

  • Setup Configuration Security User Security (user name) PKCS#11 password

Retrieve a New Setup Password

To generate a new setup password for the specific partition

  • Roles User New Setup Pw

Disable Wrapped Key Export, Key Extract, and Key Import

  • Setup Configuration Security User Security (user name) Key export: disabled
  • Setup Configuration Security User Security (user name) Key extract: disabled
  • Setup Configuration Security User Security (user name) Key import: disabled